Knowledge Center

Manage Encrypted Shared Folders

In Control Panel > Shared Folder, you can click on an encrypted shared folder and manage its mount status or encryption key from the Encryption drop-down menu. The options available in this menu are different for each shared folder based on its encryption or mount statuses.

Shared folder status Mount status Encryption key saved in Key Manager Actions available
Unencrypted - -
  • Go to Key Manager to manage keys
Encrypted Mounted -
  • Unmount the folder
  • Export key for safekeeping
  • Go to Key Manager to manage keys
Encrypted Unmounted No
  • Mount a folder by entering or importing its encryption key
  • Go to Key Manager to manage keys
Encrypted Unmounted Yes
  • Mount a folder by entering or importing its encryption key
  • Mount a folder by using a key saved in key store
    • When the key store is located in a system partition, you can use an encryption key stored in Key Manager to mount the shared folder
    • When the key store is located in an external device, you can enter the passphrase for Key Manager to mount the shared folder
  • Go to Key Manager to manage keys

Managing Encryption Keys in Key Manager

You can save encryption keys of encrypted shared folders in Key Manager. You can then use the saved encryption keys to mount or unmount multiple shared folders at the same time.

Term explanation:

  • Key store: A key store is a physical location for storing the encryption keys. It can be any external device or system partition supported by Synology NAS.
  • Cypher: A cypher is a method of encrypting keys of encrypted shared folders. Key Manager provides two types of cyphers.
    • Passphrase: Keys encrypted by a passphrase can be decrypted by anyone in possession of the passphrase. This option is available only if you used an external device as the key store.
    • Machine key: Keys encrypted by a machine key can only be decrypted by the binded Synology NAS.

Note:

To initialize a key store:

  1. Go to Control Panel > Shared Folder > Encryption > Key Manager.
  2. Select an external device or system partition as the key store from Key Store Location. We recommend using an external device because it is safer to store the encrypted file and the corresponding key in different devices.
  3. Enter a passphrase into the Passphrase field for this key store.
  4. Click Initialize to save the settings.

To add a new key to a key store:

  1. Make sure you that you have initialized a key store.
  2. Go to Control Panel > Shared Folder > Encryption > Key Manager.
  3. Click Add.
  4. Select an encrypted shared folder.
  5. Select the cypher for the encryption key. You can select either Passphrase or Machine key.

    Note: Only Machine key supports automatically mount encrypted shared folders on boot.

  6. Enter or import the encryption key.
  7. Click OK to save the settings.

To manually mount multiple encrypted shared folders:

  1. Make sure that you have added keys to the key store.
  2. Go to Control Panel > Shared Folder > Encryption > Key Manager.
  3. Select the encrypted shared folders you want to mount.
  4. Go to Encryption > Mount.

To automatically mount multiple encrypted shared folders on boot:

  1. Make sure that you have added keys to the key store.
  2. Go to Control Panel > Shared Folder > Encryption > Key Manager.
  3. Tick Mount on Boot for the encrypted shared folders you want to mount on boot.
  4. Click OK to save the settings.

    5. Note: Only Machine key supports automatically mount encrypted shared folders on boot.

To eject a key store after boot if you are using an external device as key store (recommended for security reasons):

  1. Go to Control Panel > Shared Folder > Encryption > Key Manager.
  2. Click Configure.
  3. Tick Eject device after boot.
  4. Click OK to save the settings.

To use Key Manager to manage existing encryption keys for shared folders automatically mounted on boot:

This is applicable to shared folders created on or before DSM 6.0. To manage the keys with Key Manager, migrate the keys through either of the following methods.

Migrate keys during key store initialization:

  1. When initializing a key store, tick Migrate all encryption keys to this key store for safekeeping.

Migrate keys manually:

  1. Go to Control Panel > Shared Folder > Encryption > Key Manager.
  2. Click Configure.
  3. Click Migrate now under Key Migration.
  4. If there are duplicate keys, you can choose to Overwrite duplicate keys.
  5. Click OK to save the settings.

    Note: Only encryption keys of shared folders created on or before DSM 6.0 that were automatically mounted can be migrated all at once using the Migrate now function.

To clone a key store in High Availability mode:

  1. Connect two external devices to the active server.
  2. Go to Control Panel > Shared Folder > Encryption > Key Manager.
  3. Click Clone.
  4. Select a shared folder from Source Key Store.
  5. Select a shared folder from Destination Key Store.
  6. Click OK to save the settings.

    7. Note:

    • When in High Availability mode, if the encryption key is stored on the external devices connected to the active server, the encryption key will not be available for mounting encrypted shared folder on the new active server after switchover or auto failover. In this case, connect one of the external devices to the new active server to mount encrypted shared folders.

Important:

If you want to reset DSM, encryption keys stored in Key Manager will be deleted during the process. To back up encryption keys, follow these instructions:

  • Before resetting DSM (recommended)
    • Back up the encryption keys first. Go to Control Panel > Shared Folder > Encryption > Key Manager, select the keys, and click Export Key. Save the keys to another device, such as your computer or an external device.
  • After resetting DSM
    1. Re-initialize the key store and add encryption keys to it.
    2. Use the encryption keys to manually mount each encrypted folder.